Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
Published: 2026-04-22
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update or Mitigate
AI Analysis

Impact

A Time‑of‑Check to Time‑of‑Use flaw (CWE‑367) in the cp utility of uutils coreutils allows an attacker to bypass the no‑dereference intent by swapping a regular file for a symbolic link between the check and the open operation, exploiting the lack of the O_NOFOLLOW flag (CWE‑59). The attacker may use concurrent write access to perform the swap and then cause a privileged cp process to copy the contents of arbitrary sensitive files into a destination the attacker controls, resulting in exposure of confidential data.

Affected Systems

The vulnerability affects the Uutils coreutils product, specifically the cp command. No version numbers are provided, so all current releases that include the cp utility could be vulnerable until a fixed version is released.

Risk and Exploitability

The CVSS score of 4.7 marks it as moderate severity. The EPSS score is reported as less than 1 %, indicating a low probability of exploitation currently. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to have concurrent write access to the source or destination location and the ability to run the cp command with elevated privileges. Without proper mitigations, the risk remains of confidential data being disclosed.

Generated by OpenCVE AI on April 28, 2026 at 08:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched release of uutils coreutils where the cp implementation uses the O_NOFOLLOW flag and removes the TOCTOU race condition (addressing CWE‑367 and CWE‑59).
  • Limit write permissions on directories that are subject to cp operations to a minimal set of trusted users, preventing attackers from performing the symlink swap during the check‑use window.
  • Execute cp under the lowest privilege level required for the copy task, and when elevation is necessary, preferentially use the operating system’s cp command that enforces no‑dereference semantics.
  • If a fixed binary is not yet available, wrap the cp invocation with a wrapper that checks for symlinks and sets O_NOFOLLOW before opening the source file, thereby mitigating the CWE‑59 weakness.

Generated by OpenCVE AI on April 28, 2026 at 08:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hpfw-mqm3-33jh uutils coreutils has a Link Following issue
History

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Uutils
Uutils coreutils
CPEs cpe:2.3:a:uutils:coreutils:-:*:*:*:*:rust:*:*
Vendors & Products Uutils
Uutils coreutils

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
Title uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap
Weaknesses CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Uutils Coreutils
cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:50:54.548Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35359

cve-icon Vulnrichment

Updated: 2026-04-22T17:50:44.706Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:38.537

Modified: 2026-04-24T19:02:25.720

Link: CVE-2026-35359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:15:23Z

Weaknesses